Jump to Navigation | Jump to Content
American Bar Association

Litigation News

Arizona Ethical Opinion Stresses Safety of Client Information Online

By Effie Silva, Litigation News Associate Editor – June 14, 2010

From online electronic filing to remote access databases, legal professionals must learn to set up and use their computer systems in a way that still protects client confidences in this new digital world.

Bar associations around the country are weighing in on an attorney’s ethical responsibilities in making such decisions. One example of this growing trend is an ethical opinion issued by the State Bar of Arizona’s Committee on the Rules of Professional Conduct. The opinion responded to an attorney’s inquiry about the system the attorney used to “allow clients online access to view and retrieve client files.”

The State Bar of Arizona Weighs In
Drawing on two existing rules of professional conduct regarding “Competence” and “Confidentiality of Information,” the committee determined that the attorney’s complex method of converting client documents into “password-protected PDF format,” which the client could then access for review over a secure online server was a reasonable method to ensure that the client’s confidences were not disclosed to third parties through theft or inadvertence. The proposed system also used “encryption and three layers of unique randomly generated alpha-numeric folder names and passwords.”

“To the extent it suggests that encryption and several layers of password protection are required for electronically available client documents, this jurisdiction has gone in a different direction from most other jurisdictions and the ABA,” says Michele D. Hangley, Philadelphia, cochair of the ABA Section of Litigation’s Ethics and Professionalism Committee. “Under ABA Model Rule of Professional Conduct 1.6, an attorney maintains the confidentiality of electronic communications of any kind if she has enough security measures in place to give rise to a reasonable expectation of privacy,” Hangley explains.

“The comments to the Model Rule also note that extra precautions may be necessary for documents that are particularly sensitive or might be particularly tempting to hackers,” Hangley continues. However, “this opinion appears to apply these ‘extra-sensitive’ measures to all client documents,” she says. “While multiple levels of password protection may be a good idea in many situations, in ordinary circumstances they might also be counterproductive; they might impede smooth attorney-client communications or even encourage users to evade the security measures.”

Periodic Review of Security Measures
Recognizing that technology advances may make certain protective measures obsolete over time, the Arizona committee advised lawyers to “periodically review security measures in place to ensure they still reasonably protect the security and confidentiality of the client’s documents and information.”

However, citing other ethical opinions from New Jersey and North Carolina, the Arizona committee also acknowledged that the duty to take reasonable precautions and protect against foreseeable attempts at unauthorized access does not require a lawyer to guarantee that their computer system is “invulnerable to unauthorized access.”

“Although attorneys should take steps to safeguard confidential information on their computer systems, they cannot be expected to absolutely prevent any breaches in security, especially because technology is constantly changing,” contends Kim R. Jessum, Philadelphia, cochair of the Section’s Technology for the Litigator Committee.

Recognize Your Limitations
“Ultimately, the Arizona opinion seems to try to strike a balance between the utility of new technology and the role that an attorney must play in making sure the technology is used correctly,” says Daniel A. Schwartz, Hartford, CT, chair of the Social Media Subcommittee of the Section’s Technology for the Litigator Committee.

“Some attorneys may be able to accomplish this on their own; others may need to seek some outside help,” he notes. As the committee stated, “it is important that lawyers recognize their own competence limitations regarding computer security measures,” Schwartz says. Based on the opinion, lawyers have to “take the necessary time and energy to become competent or alternatively consult available experts in the field,” he warns.

Jessum agrees, finding that “many smaller firms that do not have IT departments do consult with IT professionals for updates in technology and troubleshooting, so the attorneys in those firms are probably receiving advice about security in their consultations.”

Client Expectations
“Many attorneys are not using all the technology out there because either they do not know what is available or believe that the risk of using it would open them up to claims,” says Schwartz. However, “there are many firms that already share files with clients over the Internet and have been doing so for many years,” says Jessum.

Because “some clients now expect that type of service, it is in many attorneys’ best interests to provide top notch security along with their top notch technology,” she notes.

Keywords: Litigation, ethics, Arizona ethics opinion, client protection, online security


Be the first to comment.


We welcome your comments. Please use the form below to post.

Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).

Back to Top